This is the second part in a series about how we can build a serverless workflow using Azure Durable Functions, but implement some of the activities in that workflow using containers with Azure Container Instances. Today we'll look at creating the necessary infrastructure using the Azure CLI.

A Storage Account for Durable Functions to use as well as a File Share for our containers to use

An Application Insights instance for monitoring and diagnostics

A Function App (running on the consumption plan) with a system assigned managed identity

We'll also create another resource group that will be used to host our ACI containers. Then we'll grant contributor access to our managed identity so that our Function App is allowed to create resources in that resource group.

Create Storage Account

As usual, I've chosen to automate this with the Azure CLI in PowerShell. First, we create a resource group for our Storage Account and Function App:

In my demo code, I'm using a random number as part of the Storage Account name, but this means my script isn't idempotent unless I first check whether the Storage Account already exists and use the same random number.

Now we know the Storage Account name we want to use, we can create it with az storage account create which is idempotent if the Storage Account already exists. Then we can get the Storage Account key with az storage account keys list which we need for later.

Create a Function App

We also need a Function App to host our Durable Functions workflow, and connect it to the Storage Account and App Insights instance we just created. The az functionapp create command conveniently has flags that lets us connect everything together and with the --consumption-plan-location flag we can indicate that we want to use the consumption App Service Plan without explicitly needing to create one first.

Give the Function App a Managed Identity

We need to give our Function App a "system assigned" managed identity, and we can use az functionapp identity assign to do that, which again is idempotent, returning the existing identity if one has already been created. I also need to get hold of the principal and tenant ids for use later.

Grant Contributor Rights to the Managed Identity

We want our Function App to have permissions to create new ACI container groups, so we're going to put the managed identity we just created into the "contributor" role for a resource group that will hold all the ACI container groups. Let's create the resource group first:

About Mark Heath

I'm a Microsoft MVP and software developer based in Southampton, England, currently working as a Software Architect for NICE Systems. I create courses for Pluralsight and am the author of several open source libraries. I currently specialize in architecting Azure based systems and audio programming. You can find me on: